Viktor Dukhovni <postfix-us...@dukhovni.org> schrieb am 05.03.20 um 16:44:14 Uhr:
> On Thu, Mar 05, 2020 at 09:08:43PM +0100, ratatouille wrote: > > > Don't know why TLSv1 is still offered on our servers running > > Probably because you're not changing the configuration in the right > place. Double-check that you're configuring the correct Postfix > instance (if using multiple instances) and that there are no > master.cf overrides that trump the main.cf settings. > > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 > > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 Found out if I want to disable TLSv1.1 too I just have to do so. smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 and suddenly it works ;) > It is not yet a good idea to disable TLSv1 in SMTP. But if you must > degrade[1] your SMTP security for some clients to make sure that all the > check boxes come out green, then the above should be enough, provided it > is set in the right place. I can confirm that bitclusive.de still > supports TLSv1: > > $ posttls-finger -c -Lsummary -p TLSv1 bitclusive.de > posttls-finger: Verified TLS connection established to > smtp.bitclusive.de[2a03:4000:33:430:d423:c2ff:fe3d:b540]:25: TLSv1 with > cipher ECDHE-RSA-AES256-SHA (256/256 bits) > > $ posttls-finger -c -Lsummary -o inet_protocols=ipv4 -p TLSv1 > bitclusive.de > posttls-finger: Verified TLS connection established to > smtp.bitclusive.de[92.60.38.182]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA > (256/256 bits) > > Other than test TLS connections, do you still legitimate inbound email > in your logs (looking over a week or more of logs) delivered with TLSv1? I have just too TLSv1 connections this month: ... 11 TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits) 9 TLSv1.2 with cipher CAMELLIA256-SHA (256/256 bits) 9 TLSv1.2 with cipher CAMELLIA128-SHA (128/128 bits) 9 TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits) 8 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) 8 TLSv1.1 with cipher AES256-SHA (256/256 bits) 8 TLSv1.1 with cipher AES128-SHA (128/128 bits) 7 TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) 7 TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA (128/128 bits) 7 TLSv1.1 with cipher DHE-RSA-AES128-SHA (128/128 bits) 7 TLSv1.1 with cipher CAMELLIA256-SHA (256/256 bits) 7 TLSv1.1 with cipher CAMELLIA128-SHA (128/128 bits) 4 TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits) 2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits) 1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) 1 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) > If not, then perhaps disabling TLSv1 will be harmless, but if you do, > perhaps prod the senders to upgrade first, before you prevent them > from establishing TLS connections to your MTA. internet.nl says TLS 1.1 should be phased out and criticises this. It also critcises the key exchange paramert DH-4096 as insufficient I just created that key and made it available with smtpd_tls_dh1024_param_file = ${config_directory}/dh_4096.pem Ok, thank you very much! Competent as always. I'll keep TLSv1 enabled for now. -- Regards Andreas